Sun StorageTek[TM] 5000 Series NAS: Credential Mapping for Windows and UNIX(R) Administrative Accounts

Asset ID:	1-71-1017576.1
Update Date:	2009-05-06
Keywords:

Solution Type Technical Instruction Sure

Solution 1017576.1 : Sun StorageTek[TM] 5000 Series NAS: Credential Mapping for Windows and UNIX(R) Administrative Accounts

Related Items


Sun Storage 5210 NAS Appliance
 Sun Storage 5220 NAS Appliance
 Sun Storage 5310 NAS Appliance
 Sun Storage 5320 NAS Gateway/Cluster System
 Sun Storage 5320 NAS Appliance
 Sun Storage 5310 NAS Gateway System

Related Categories


GCS>Sun Microsystems>Storage - Disk>Network Attached Storage

PreviouslyPublishedAs
228728

Description
This document explains how built-in administrator accounts are used in conjunction with the credential mapping functionality.

Steps to Follow
The UNIX(R) root user, UID 0 and GID 0, are always mapped to the CIFS local Administrators group. The security identifier (SID) for the local group "Administrators" is a built-in (predefined) Windows SID: S-1-5-32-544.
This mapping conforms to the ownership assigned by Windows to files created by members of the Domain Admins group. Ownership of such files is always assigned to the built-in local Administrators group to provide domain independence; that is, to avoid losing access to these files in the event that the system is moved from one Windows domain to another. In the Windows permissions display box this SID appears as HOSTNAME\Administrators, where HOSTNAME is the NAS host name.

When the NAS joins a Windows Domain, the Domain Admins group from that domain is given membership to the NAS local group "Administrators". This is consistent with Windows' behavior.

An important effect of this is that it is not possible for a user who is a member of the Domain Admins group to individually own a file. When a member of the Domain Admins group takes ownership of a file, it is owned by the Administrators Group, and mapped to the UNIX UID/GID 0 root account.

This also means that individual members of the Domain Admins group cannot participate in credential mapping. As they cannot individually own files, their individual credentials will never be attached to a file or directory object. A second, non-administrative account is recommended for these users if there is a need to own files or map their Windows credentials to non-root users.

Product
Sun StorageTek 5320 NAS Gateway/Cluster System
Sun StorageTek 5320 NAS Appliance
Sun StorageTek 5320
Sun StorageTek 5310 NAS Gateway/Cluster System
Sun StorageTek 5310 NAS Gateway System
Sun StorageTek 5310 NAS Appliance
Sun StorageTek 5220 NAS Appliance
Sun StorageTek 5210 NAS Appliance

Internal Comments
This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below:

[email protected]

The Knowledge Work Queue for this article is KNO-STO-NAS
NAS, CIFS, credential mapping, root, domain admins, administrator, audited
Previously Published As
90738

Change History
Date: 2007-10-03
User Name: 31620
Action: Approved
Comment: Verified Metadata - ok
Verified Keywords - ok (normalized)
Verified still correct for audience - currently set to contract
Audience left at contract as per FvF at
http://kmo.central/howto/content/voyager-contributor-standards.html
Checked review date - currently set to 2008-09-22
Checked for TM - added appropriate for STK product
Although this content is normalized, there are no dependant articles
Publishing under the current publication rules of 18 Apr 2005:
Version: 3
Date: 2007-10-01
User Name: 31620
Action: Accept
Comment:
Version: 0

Attachments

This solution has no attachment